Secunia Research: Mozilla Firefox Download Dialog Spoofing Vulnerabilities

======================================================================

                     Secunia Research 12/05/2005

    - Mozilla Firefox Download Dialog Spoofing Vulnerabilities -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Description of Vulnerabilities.......................................3
Solution.............................................................4
Time Table...........................................................5
Credits..............................................................6
References...........................................................7
About Secunia........................................................8
Verification.........................................................9

======================================================================
1) Affected Software

Firefox 0.10.1 and 1.0 for Windows

Other versions may also be affected.

======================================================================
2) Severity

Rating: Moderately critical
Impact: Spoofing
Where:  From remote

======================================================================
3) Description of Vulnerabilities

Secunia Research has discovered two vulnerabilities in 
Mozilla Firefox, which can be exploited by malicious people to spoof 
file types in the file download dialog.

1) The filename and the "Content-Type" HTTP header are not 
sufficiently validated before being displayed in the file download 
dialog. This can be exploited to spoof file types in the file 
download dialog by sending specially crafted headers containing 
white spaces, dots and ASCII bytes 160.

Successful exploitation may trick a user into executing malware if 
the file is opened through the file download dialog.

The vulnerability has been confirmed in Mozilla Firefox 0.10.1 
for Windows. Other versions may also be affected.

2) The "Content-Type" header is used for associating a file to a 
file type in the file download dialog, but the file extension is left 
intact when saving the file to disk with "Save to Disk". This can be 
exploited to spoof file types in the file download dialog.

Successful exploitation may result in malware being saved to the 
download directory, which by default is the desktop.

NOTE: If the downloaded malware is a shortcut or some executable file, 
then the icon can be spoofed in the download manager and on the 
desktop.

The vulnerability has been confirmed in Mozilla Firefox 1.0 
for Windows. Other versions may also be affected.

======================================================================
4) Solution

The vulnerabilities have been partially fixed in version 1.0.1.

======================================================================
5) Time Table

25/10/2004 - Vulnerabilities discovered.
01/11/2004 - Vendor notified.
05/11/2004 - Vendor patches vulnerabilities in the CVS repository.
09/11/2004 - Mozilla Firefox 1.0 released.
17/11/2004 - Vendor notified that the patch for the second 
             vulnerability can be bypassed.
24/02/2005 - Mozilla Firefox 1.0.1 released.
12/05/2005 - Public disclosure.

======================================================================
6) Credits

Discovered by Andreas Sandblad, Secunia Research.

======================================================================
7) References

Bugzilla references:

1) https://bugzilla.mozilla.org/show_bug.cgi?id=267122

2) https://bugzilla.mozilla.org/show_bug.cgi?id=267123
   https://bugzilla.mozilla.org/show_bug.cgi?id=275441

======================================================================
8) About Secunia

Secunia collects, validates, assesses, and writes advisories regarding
all the latest software vulnerabilities disclosed to the public. These
advisories are gathered in a publicly available database at the
Secunia web site:

http://secunia.com/

Secunia offers services to our customers enabling them to receive all
relevant vulnerability information to their specific system
configuration.

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/secunia_security_advisories/

======================================================================
9) Verification

Please verify this advisory by visiting the Secunia web site:
http://secunia.com/secunia_research/2004-11/advisory/

Complete list of vulnerability reports released by Secunia Research:
http://secunia.com/secunia_research/

======================================================================